Feature: Log out of other sessions

Currently the only way to log out of all sessions is to change your password. Of course you can change your password to itself, however, this pull request makes it a bit more explicit. Underneath the covers it forces a change in the password salt by simply changing the password to itself.
2026-01-27 07:48:16 -05:00 · 2012-01-07 17:12:46 -08:00
parent 33898efe34
commit ec4739b452
2 changed files with 39 additions and 1 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -590,6 +590,25 @@ class ApiController(RedditController):
        c.user.add_friend_note(friend, note)
        form.set_html('.status', _("saved"))

+    @validatedForm(VUser('curpass', default=''),
+                   VModhash(),
+                   password = VPassword(['curpass', 'curpass']),
+                   dest = VDestination())
+    def POST_clear_sessions(self, form, jquery, password, dest):
+        """Clear all session cookies and update the current one."""
+        # password is required to proceed
+        if form.has_errors("curpass", errors.WRONG_PASSWORD):
+            return
+
+        form.set_html('.status',
+                      _('all other sessions have been logged out'))
+        form.set_inputs(curpass = "")
+        # run the change password command to get a new salt
+        change_password(c.user, password)
+        # the password salt has changed, so the user's cookie has been
+        # invalidated.  drop a new cookie.
+        self.login(c.user)
+
    @validatedForm(VUser('curpass', default = ''),
                   VModhash(),
                   email = ValidEmails("email", num = 1),
--- a/r2/r2/templates/useriphistory.html
+++ b/r2/r2/templates/useriphistory.html
@@ -20,7 +20,9 @@
 ## CondeNet, Inc. All Rights Reserved.
 ################################################################################

-<%namespace file="utils.html" import="timestamp"/>
+<%namespace file="utils.html" import="error_field, timestamp"/>
+<%namespace name="utils" file="utils.html"/>
+
 <%
    from r2.lib.strings import strings
    ip_format = {'address': request.ip}
@@ -53,3 +55,20 @@
 </table>
 </div>

+<hr/>
+
+<h1>${_("Log out of all other sessions")}</h1>
+
+<form action="/post/clear_sessions" method="post"
+      onsubmit="return post_form(this, 'clear_sessions')" id="clear_sessions">
+
+<div class="spacer">
+  <%utils:round_field title="${_('current password')}" description="${_('(required)')}">
+  <input type="password" name="curpass" />
+  ${error_field("WRONG_PASSWORD", "curpass")}
+  </%utils:round_field>
+</div>
+<button type="submit" class="btn">${_('clear sessions')}</button>
+<span class="status error"></span>
+
+</form>